North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re[8]: "portscans" (was Re: Arbor Networks DoS defense product)

  • From: Allan Liska
  • Date: Sun May 19 14:16:48 2002

Hello Ralph,

Sunday, May 19, 2002, 12:13:35 PM, you wrote:

>> RD> I think that's pretty stupid.  If I had my network admin investigate every
>> RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt.
>> RD> Instead we keep our servers very secure, and spend the time and effort
>> RD> only when there is evidence of a break in.
>> 
>> I didn't say investigate every portscan, I said assume every portscan
>> is hostile.  There is a big difference.

RD> So you assume it's hostile and do what?  Automatically block the source
RD> IP? If you do that then you open up a bigger DOS hole.  Then if someone
RD> sends a bunch of SYN scans with the source address spoofed as your
RD> upstream transit providers' BGP peering IP, poof! you're gone.

You do the same thing you do with any attack: Log the information
and take appropriate action.  If you are constantly getting scanned
from one netblock, you should be aware of that, the only way to be
aware of it is to keep a record of all port scans.

A portscan may be innocent, though I agree with those who have said
previously that most posrtscans are not innocent, in which case it
gets filed away into a database and forgotten.  However, if the same
network is continuously portscanning your network that network should
be stopped.

This whole process can be automated, so that it does not involve
manual intervention...but don't you think a good network administrator
should know what is happening to their network?  And, since there is
no way to distinguish an innocent portscan from one that is a
precursor to an attack, wouldn't it make sense to keep track of all
portscans?


allan
-- 
allan
[email protected]
http://www.allan.org